Resigning system.img on a device

Question

I am working on an automatic app updating solution for devices (LG p509 - Optimus 1) which we deploy to our customers. We have control of these devices and currently install a custom kernel on them (but not a full custom ROM). Since we are trying to do auto-updating of our app on the device, we need the system to be signed by a key which we control so we can sign our apps with the same key (to get the INSTALL_PACKAGES permission).
I have been having a few issues running AOSP builds on the device (using the LG released source for the device), and am trying to take a step back and evaluate our options. I have a few questions:

Is it viable to just pull the system.img off the phone and resign the contents? If so, where is the system apk located? I poked through the PackageManager source and it uses a systempackage (seemingly called "android") to compare apps with to see if they are allowed to have system permissions.
Has anyone here created a custom ROM for the device that could offer some advice on how just get our signature be the system signature?

Any insight would be appreciated.

score 15 · Accepted Answer · edited Feb 19 '15 at 18:13

15

Ok, so we figured it out. I am not going to go into full detail (too much writing), but here is the basic gist for anyone who stumbles on this:

If you want change the key which the system is signed with, you need to do the following steps:

Extract /system/ dir from the running phone
Inspect the .apk files (from /system/app and /system/framework) to figure out which ones are signed by the same key as the framework-res.apk. I used a modified version of the script linked here to figure out which APKs to sign.
If the APKs in /system/app which share the signing key with framework-res.apk are odexed, you need to de-odex them.
resign the APKs and the framework-res.apk and pack them in an update.zip (google how to do that).

On my specific device I had to resign both /system/framework/framework-res.apk and /system/framework/lge-res.apk from /system/framework and also had to de-odex and sign 20 .apks from the /system/app folder in order to get everything running smoothly.

edited Feb 19 '15 at 18:13

Steve Pomeroy

10,071
6
34
37

answered Feb 29 '12 at 21:35

natez0r

1,064
9
14

In the link you shared mentions that we need to zipalign once we sign the relevant apks (in system/apps) and framework-res.apk.But here you mention that we need to update.zip it.Are both the same? Can you please explain what needs to be done once the apks are signed ? – Basher51 Aug 07 '14 at 06:17
I have signed all my relevant apks.Now,since I had de-odexed some apks(prior to the signing process),hence shouldn't I odex them before I copy them back to the device? I'm stuck on how to do this.Can you please assist .. – Basher51 Aug 07 '14 at 08:11
Zipaligning is different than the update.zip. For more info on how to zipalign, check out google's docs (http://developer.android.com/tools/help/zipalign.html). After you zipalign, you can then create the update.zip similar to how they describe at http://forum.androidgadget.co.uk/showthread.php?tid=338 – natez0r Aug 07 '14 at 14:12
You shouldn't need to odex the APKs before moving them back to the device. – natez0r Aug 07 '14 at 14:15
Once the apks are zipaligned,instead of creating update.zip can't we simply copy them to the sd card and then to the system/app(a process reverse of what we did first) ? . Also, since we are not copying back the odex files to system/app hence,won't the newly signed apk file there create any issues with its corresponding old odex files (or are the odex files recreated by the JVM) – Basher51 Aug 08 '14 at 00:17
You should be able to just copy from the SDCard as long as you've mounted the system partition. To be honest, this was a long time ago and I don't recall if I had to do anything specific with regards to re-odexing. – natez0r Aug 08 '14 at 17:04
:You mention that you signed 'lge-res.apk' as well.Was it because when you can ran the script, 'lge-res.apk' too was filtered into the same folder as 'framework-res.apk' ? If so,do we need to re-sign all those apks inside system/framework which share the same key as 'framework-res.apk' ? – Basher51 Aug 11 '14 at 02:46
Thank you !! I was able to change the system signature of my device,and also run my app as a system app.In addition to the previous doubt,please clear one more.When we change the system's signature to our signature,then in that case what happens to the 'updates' of the apps(ones whose signature we changed) in system/app folder? Do those get updated whenever it is updated time and again from google play(since I believe the apps in google play will be having a different signature than that of the ones in system/app now)? contd... – Basher51 Aug 11 '14 at 05:00
:contd... Or will there be any pop up dialog sort of thing that would come on the device stating something like update aborted,since signatures are different ? PS: I just wanted to confirm the behavior since I really don't want those popups to come(and I am fine with system apps having different signatures not getting updated). – Basher51 Aug 11 '14 at 05:03
@natez0r if I understood correctly, after correctly producing the custom update.zip file, you use it to update the system image much like a FOTA update does. Shouldn't the update abort half-way through because you can't sign the update file with the private key used by the manufacturer of the device to sign the platform? – HenriqueMS Oct 13 '17 at 12:36

score 8 · Answer 2 · answered Feb 28 '12 at 02:47

The "system apk" is /system/framework/framework.jar. I've never tried to re-sign the system image but I've written code which was part of the system image (not within a normal apk project) and it became part of this jar. There are additional jars in this directory which may need to be re-signed also.

The signature is created randomly and placed in two files in your build environment, build/target/product/security/platform.pk8 and build/target/product/security/platform.x509.pem. I don't know how to extract these from a normal key store, however I've been able to copy them from one firmware build to another to ensure that both images had the same platform key. Also, I've been able to change the signature of APKs with this command: java -jar signapk.jar platform.x509.pem platform.pk8 Old.apk New.apk. You'll find signapk.jar in your build, at out/host/linux-x86/framework/signapk.jar

It seems like framework-res.apk was the system signature anchor that i was looking for. Still fussing with getting all the proper files resigned, but it is a start. thanks! — natez0r, Feb 29 '12 at 21:03

Resigning system.img on a device

2 Answers2

Linked